CVE-2026-33722: Authorization Bypass and Secret Extraction in n8n External Vaults
Vulnerability ID: CVE-2026-33722
CVSS Score: 7.3
Published: 2026-03-25
An incorrect authorization vulnerability in the n8n workflow automation platform permits authenticated, low-privileged users to extract plaintext secrets from connected external vaults. By bypassing specific permission checks during credential creation, attackers can compromise sensitive infrastructure credentials.
TL;DR
Authenticated n8n users lacking necessary permissions can extract plaintext secrets from external vaults (e.g., AWS, HashiCorp) by referencing guessed secret names during credential creation. Upgrading to versions 1.123.23 or 2.6.4 mitigates this vulnerability.
Technical Details
- CWE ID: CWE-863
- Attack Vector: Network
- CVSS Score: 7.3
- Exploit Status: none
- KEV Status: Not Listed
- Impact: High Confidentiality
Affected Systems
- n8n instances with external secrets vault feature configured
-
n8n: < 1.123.23 (Fixed in:
1.123.23) -
n8n: >= 2.0.0-rc.0, < 2.6.4 (Fixed in:
2.6.4)
Mitigation Strategies
- Restrict access to highly trusted users
- Disable external secrets integration temporarily
- Audit user roles and permissions
Remediation Steps:
- Verify the current n8n version deployed in the environment.
- Upgrade n8n to version 1.123.23 (for 1.x branch) or 2.6.4 (for 2.x branch).
- Audit existing credentials for unauthorized modifications or abnormal secret references.
- Rotate any external secrets (AWS, Vault, etc.) that may have been exposed during the vulnerable period.
References
Read the full report for CVE-2026-33722 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)